Evercookies: extremely persistent browser cookies

For discussions about security.
Message
Author
PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#41 Post by PaulBx1 »

Bruce, you mentioned the sqlite files before. I guess I don't understand how you can delete all of them, since that includes (for example) signon.sqlite. I couldn't function without site login information stored in the browser. No way I could remember every login.

Bruce B

#42 Post by Bruce B »

PaulBx1 wrote:Bruce, you mentioned the sqlite files before.
I guess I don't understand how you can delete all of them,
since that includes (for example) signon.sqlite. I couldn't
function without site login information stored in the browser.
No way I could remember every login.
PaulBx1,

I understand exactly what you mean.

For others, deleting the *.sqlite means all the information in
them is gone. But you don't necessarily want to keep
deleting all the information because some of it you want.

I've been learning Windows XP lately, so first I'll explain how
it did it with XP.

1) delete all *.sqlite

2) when the browser starts it will make fresh *.sqlite files

3) go to the trusted sites you regularly visit and enter your
login information

4) after you have done this, shut down the browser.

5) copy all the *.sqlite files (which have basically only
information you do want) to a different directory, such as
one level up

6) make a batch file to delete the *.sqlite files in the profile
directory and copy back the ones which have the login
information you want

~~~~~~~~~~~~~~~

You can use the same basic technique with the Linux bash
script.

~~~~~~~~~~~~~~~

Now I'll offer an experiment for anyone who wants to do
some testing.

In Windows go through step 4 and make the files read-only

In Linux go through step 4 and make the files immutable
using the chattr utility. I don't remember if the operative
switch is -i or +i , I think it is +i, if so the command would
be:

chattr +i *.sqlite

~~~~~~~~~~~~~~~~

I learned to do this in the Netscape days. There was a
period in time where a lot of sites wanted cookies enabled. I
made the cookie file read-only and no site ever balked.

Moreover, it seemed they had the cookie feedback they
wanted, which caused me to suspect the cookie information
existed in some cache even though it was never written to
disk.

~~~~~~~~~~~~~~~~~

In conclusion, the first steps I outlined do work. It requires
a little work to get it setup, but once setup it is a piece of
cake.

The read-only / immutable portion of the post would be
experimental insofar as I haven't tested it. But I think it
stands a good enough chance of working, that its worth a
try.

Bruce

One last thought. The sqlite files are binary. Puppy's strings
utility will display text in these binary files. A hexeditor will
also.

If anyone has some sqlite files that have been in use for a
while, and you want to see the contents, you'll get an idea
of kind of personal data they contain.

Also, and very importantly, they were mentioned as a
storage point for the topic of discussion: Evercookies

~

User avatar
droope
Posts: 801
Joined: Fri 01 Aug 2008, 00:17
Location: Uruguay, Mercedes

#43 Post by droope »

Hiya :)

Cookies are no way evil...

or harmful...


Just information being stored. :)

Aaanyway, noscript + blocking flash kills evercookies. :)

Regards,
Droope
What seems hard is actually easy, while what looks like impossible is in fact hard.

“Hard things take time to do. Impossible things take a little longer.â€￾ –Percy Cerutty

[url=http://droope.wordpress.com/]Mi blog[/url] (Spanish)

Bruce B

#44 Post by Bruce B »

droope wrote:Hiya :)

Cookies are no way evil...

or harmful...


Just information being stored. :)
Cookies are tracking devices.

People's main consideration about them would be 'privacy related', which is
why I'd much rather this forum had a section for Privacy and another for
Security.

I like Trackers in cyberspace about as much as I do Stalkers and Peeping
Toms in the real world. Which is not at all.
droope wrote:Aaanyway, noscript + blocking flash kills evercookies. :)
The Evercookie uses JavaScript APIs do to it's dirty work. So, if JavaScript
is turned off one wouldn't get this kind of cookie.

But turning it off wouldn't delete the cookie if it existed. It would prevent it
from being used.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#45 Post by nooby »

And if one turn of java then many sites refuse to let one make a comment or write in their forum or to read the text until one allow at least the major Ad provider to show their ad and then one see the text one look for.

So it is not easy. I try to use NoScript in FireFox but Opera and Chrome have their own Ad blockers and those are too difficult for me to learn how to use.

So I am kind of locked to use FireFox and as far as I know they have no addon yet for an EverCookie?

But are EverCookie being used now on many sites? First I thought that almost every big site used them and now I rad that it is only a concept a guy showed off and almost none use them but that in the future maybe a lot of sites would?
I use Google Search on Puppy Forum
not an ideal solution though

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#46 Post by jpeps »

nooby wrote:And if one turn of java then many sites refuse to let one make a comment or write in their forum or to read the text until one allow at least the major Ad provider to show their ad and then one see the text one look for.

So it is not easy. I try to use NoScript in FireFox but Opera and Chrome have their own Ad blockers and those are too difficult for me to learn how to use.

So I am kind of locked to use FireFox and as far as I know they have no addon yet for an EverCookie?

It's lots easier to mark and replace changed files from a mozilla backup.
If you want to add passwords, etc., then mark/replace changed files to the backup. I delete all flash LSO's every session.
But are EverCookie being used now on many sites? First I thought that almost every big site used them and now I rad that it is only a concept a guy showed off and almost none use them but that in the future maybe a lot of sites would?
Follow the money; evercookies and variations thereof are already being sold.

User avatar
jrb
Posts: 1536
Joined: Tue 11 Dec 2007, 19:56
Location: Smithers, BC, Canada

#47 Post by jrb »

I have developed a strategy to fight against these demonic creations. :x Please see Fighting Persistant Cookies and eliminating bloat

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#48 Post by nooby »

Thanks jrb, interesting approach.

Fighting Persistant Cookies and eliminating bloat
http://www.murga-linux.com/puppy/viewtopic.php?t=62391

Here is another approach, to go the legal way to give us rights to not be followed around.

Anti-tracking initiative gets US government support

* 22:04 01 December 2010 by Jim Giles

The system, known as Do Not Track, received a vote of confidence today from the Federal Trade Commission (FTC), the US government agency responsible for protecting consumers.

The commission said that it wants companies that track our movements across the web, such as advertising firms, to use Do Not Track to give consumers an easy way to opt out of such monitoring.
Now how can we trust them, maybe best to also make things like jrb suggests
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#49 Post by Flash »

http://ashkansoltani.org/docs/respawn_redux.html
RESPAWN REDUX

(Follow up to Flash Cookies and Privacy II)

Ashkan Soltani

08/11/2011

I thought I'd take the time to elaborate a bit further regarding the technical mechanisms described in our 'Flash Cookies and Privacy II' paper that generated a bit of buzz recently. For a bit of background, I, along with Chris Hoofnagle and Nathan Good, had the honor of supervising Mika Ayenson and Dietrich J. Wambach in replicating our previous 2009 study which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed ‘respawning’).
In our follow up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics (Hulu and KISSmetrics have both ceased respawning as of July 29th 2011.) Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed.....
It continues with a technical description of how respawning works, etc..

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#50 Post by nooby »

Thanks, it shows how eager them are to know if one click on ads or not?
I use Google Search on Puppy Forum
not an ideal solution though

Post Reply